Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1 - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #4991

closed

WebGUI does not support ECDSA certificates for IPSec Stage 1

Added by Brian Turek over 8 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.5.0

Start date:

08/22/2015

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

I am currently successfully using ECDSA certificates with strongSwan on a Linux server and attempted to move the tunnel over to my pfSense router only to find it didn't work. The logs showed that it could not find my ECDSA private key "loading private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' failed" but it was able to load my ECDSA CA. Upon further investigation, I believe the only problem is that the ipsec.secrets file had my key type as RSA instead of the correct ECDSA type.

Given that I know strongSwan supports ECDSA certificates and that it successfully loaded my ECDSA CA certificate, I think this is as simple as adding a "Mutual ECDSA" to the Authentication method under the Phase 1 setup.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Chris Buechler about 8 years ago

Category set to IPsec

Actions

Copy link

Updated by Viktor Gurov over 4 years ago

can be closed

currently pfSense support ECDSA. see https://redmine.pfsense.org/issues/9843

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Assignee set to Jim Pingle
Target version set to 2.5.0

While support for ECDSA certificates is in 2.5.0, it needs tested with IPsec specifically to ensure it works.

Also, if it does work (which the strongSwan docs suggest it should), then it's probably time to finally rename any IPsec Certificate-based authentication methods using "RSA" to something more generic:

For example, changing this:

$p1_authentication_methods = array(
    'hybrid_rsa_server' => array('name' => gettext('Hybrid RSA + Xauth'), 'mobile' => true),
    'xauth_rsa_server' => array('name' => gettext('Mutual RSA + Xauth'), 'mobile' => true),
    'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
    'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
    'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
    'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
    'rsasig' => array('name' => gettext('Mutual RSA'), 'mobile' => false),
    'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);

Into this:

$p1_authentication_methods = array(
    'hybrid_cert_server' => array('name' => gettext('Hybrid Certificate + Xauth'), 'mobile' => true),
    'xauth_cert_server' => array('name' => gettext('Mutual Certificate + Xauth'), 'mobile' => true),
    'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
    'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
    'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
    'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
    'cert' => array('name' => gettext('Mutual Certificate'), 'mobile' => false),
    'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);

With upgrade code to adjust existing values.

Also, judging by the strongSwan and other docs, IPsec only supports a few curves with IKEv2 (and apparently only IKEv2): prime256v1, secp384r1, and secp521r1. This warrants input validation after testing to ensure that a compatible combination of options has been chosen.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from New to In Progress

ECDSA keys do work with IPsec, but the OP is right that the key type in ipsec.secrets is incorrect. It needs a fix there to detect the key type. I will commit a fix along with other related fixes I have coming. Additionally, though the documentation only states ECDSA works with IKEv2, it also works with IKEv1 in strongSwan.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from In Progress to Feedback
% Done changed from 0 to 100

Applied in changeset cffcf9bfaa1a054917d3427cbc7885b97db8902c.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

I split the task of renaming the options/fixing the backend code to change from "RSA" to "Certificate" into a new issue: #9903

So this issue is now only for testing ECDSA certificates with IPsec and ensuring that certificates with incompatible curves are hidden from the certificate list.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from Feedback to Resolved

Works fine now

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #4991

WebGUI does not support ECDSA certificates for IPSec Stage 1

Updated by Chris Buechler about 8 years ago

Updated by Viktor Gurov over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago